Copyparty is a portable file server. Prior to 1.20.12, there was a missing permission-check in the shares feature (the shr global-option). This vulnerability only applies when the shares feature is used for the specific purpose of creating a share of just a single file inside a folder or either the FTP or SFTP server is enabled, and also made publicly accessible. Given these conditions, when a user is browsing a share through either FTP or SFTP (not http or https), they can gain read-access to the remaining files inside the shared folder by guessing/bruteforcing the filenames. It was not possible to descend into subdirectories in this manner; only the sibling files were accessible. This vulnerability is similar to CVE-2025-58753 which was previously fixed for HTTP and HTTPS, but not for FTP. The FTPS server did not yet exist at that time. This vulnerability is fixed in 1.20.12.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32108.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-863"
]
}{
"source": [
"AFFECTED_FIELD",
"CPE_RANGE"
],
"cpe": "cpe:2.3:a:9001:copyparty:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.20.12"
}
]
}